Facebook Notification Feeds: Not So Private From Blog Search, After All

Lisa Barone posted today about being surprised to discover that some of her Facebook activities were showing up in Bloglines. How? She’s friends with John Harmon, and his Facebook notifications feed was apparently submitted over there. The odd thing is, Facebook says these feeds shouldn’t show up in Bloglines at all. After poking at it more, that turns out not to be the case. Below, more about what happened and how it may be impossible to fully keep a feed private, which has implications for you and your Facebook friends.

If you’re a Facebook user, you have a notifications page that shows you what various people you are friends with are doing — have they written on your wall, tagged a photo of you and so on. Here’s an example:

That page has its own feed. You’ll find it in the right-hand column under the "Subscribe to Notifications" heading:

The feed URL can be viewed by anyone who gets it. You don’t have to be logged into Facebook to view it. You don’t have to get pass any password barrier. If you know the feed URL, you can see everything in it — basically, everything you’d see on the notification page itself, just not as pretty.

So what about privacy? To my understanding, only you can see your actual feed URLs (you also have a feed for "Friends’ Status Updates" and perhaps others). If you don’t give out your URLs, then no one else can see them nor guess at them. That’s because while your feed URL will make use of your Facebook user ID number that isn’t hard to find (see Facebook Opens Profiles To Tap Into Google Traffic, While Google Grabs Facebook’s News Feed Idea for more on this), the URL also has a unique key number in it that no one’s really going to figure out.

Enter Bloglines. The purpose of the notifications feeds is so that you can keep up on Facebook when you’re not logged in. Give Bloglines your notifications feed, and then Bloglines can keep you updated with what’s going on while you’re "outside" Facebook.

Of course, if you give Bloglines a feed, then others searching on Bloglines can locate it, unless you mark it as private. Bloglines gives you this option each time you add a feed:

Notice, however, that the default setting is "Public." That means it’s easy for people to make public a feed that they don’t really intend to be shared with others. This is probably what happened to Lisa. John gave Bloglines his feed URL, didn’t tag it as private, so the world can see what’s going on. Since Lisa had an activity that hit his feed, suddenly her "private" world inside of Facebook spilled out inadvertently to the web in general.

The puzzling thing to me was that I remember reading something at Facebook that was supposed to prevent this. Remember that "Subscribe to Notifications" section I mentioned above? Look at again at the screenshot:

See the "Subscription Help" link? That leads to a help page describing in particular how your feed is supposed to be kept private on Bloglines:

Won’t Bloglines and other similar services make my notes content searchable by the world if my friends enter the URL for my Notes feed into those services?

Atom and RSS feeds from Facebook include the Bloglines Feed Access Control extension, and we set the access parameter to "deny" for all of our feeds. We also indicate in our robots.txt that feeds should not be visited or indexed by bots. The major aggregators and search engines (Bloglines, Technorati, Google, Yahoo!) all appear to respect these directives. If you are very concerned about the possibility of someone seeing your notes that you don’t want him or her to see, we’ve added a privacy option that you can set on your notes privacy page which will prevent any of your Notes from being syndicated in any RSS or Atom feed.

Hmm. Was John’s feed somehow without the access deny setting? Nope. At the bottom of the feed, there it was:

Odd. According to Bloglines’ own specs, that feed shouldn’t be showing. And yet, there it is. I’m checking with Bloglines about this [NOTE: see postscript below]. The only thing I can figure is that perhaps since the restriction element appears after the channel elements — rather than before them — perhaps that had an impact.

Facebook, as it explains, does make use of robots.txt to block these feeds from being indexed. Major search engines crawlers respect robots.txt, so Google itself shouldn’t be listing them (and in fact, if it was, something like this would bring them up. It doesn’t.).

Google Reader is different. It merrily blows past robots.txt restrictions, because as Google’s help files explain, it’s acting on behalf of a human request:

Feedfetcher requests come from explicit action by human users. When users add your feed to their Google homepage or to Google Reader, Google’s Feedfetcher attempts to obtain the content of the feed in order to display it. Since all requests come from humans, Feedfetcher has been designed to ignore robots.txt.

Now, unlike Bloglines, Google Reader doesn’t provide a way to search across all the feeds people are subscribing to. In fact, you can’t share a feed at all, from what I can tell. You can, however, easily share individual items from a feed or tag a feed or number of feeds with the same tag, then share that tag. So "private" Facebook feeds can be exposed.

Feeding, Facebook, and Privacy from eFoundations back in August has a bit more on some of the type of Facebook feeds there are beyond your notifications. It also notes how Bloglines had plenty of feeds exposed there (as you can see here, I can easily find over 500).

In short, you need to be aware that some of what you do on Facebook can indeed be seen outside Facebook, if your friends share feeds — even on Bloglines, which is supposed to not be listing these feeds. The only foolproof solution I can see is to switch your privacy settings down to restrict heavily the types of activities that might show up as notifications. I’ll also ping Facebook to see if they have any further advice to share.

Postscript: Bloglines has gotten back to me and said there was a bug in how it was handling feed access control in RSS 2.0 feeds, which is being fixed now.